Do passphrases protect against leaks or compromises of mnemonic seed words? Why are brain wallets usually insecure? Why should you not “roll your own crypto” and promote creative schemes that deviate from the standards (like BIP39), without at least getting peer review and testing from other developers, cryptographers, or security researchers?

See the documentation and support pages of various hardware wallets for more information:

Trezor – https://doc.satoshilabs.com/trezor-faq/overview.html https://blog.trezor.io/using-advanced-recovery-on-trezor-4af0eb53c3bb
Ledger Nano S – https://support.ledgerwallet.com/hc/en-us/articles/360000613793-Initialize-your-device
Ledger Blue – https://support.ledgerwallet.com/hc/en-us/articles/360005835414-Initialize-your-device
KeepKey – https://help.keepkey.com/start-here/initialize-your-keepkey https://help.keepkey.com/how-to-guides/how-to-recover-your-keepkey

On the topic of inheritance and estate planning, see: https://youtu.be/4g8rO_queMw

These questions are from the August monthly Patreon Q&A session, which took place (late) on September 1st 2018. If you want early-access to talks and a chance to participate in the monthly live Q&As with Andreas, become a patron: https://www.patreon.com/aantonop

RELATED:
How do I choose a wallet? – https://youtu.be/tN6b62sEpsY
Secure, tiered storage system – https://youtu.be/uYIVuZgN95M
Hardware wallets and attack surface – https://youtu.be/8mpDcBfNA7g
Setting up secure storage devices – https://youtu.be/wZ9LxLLvfXc
What is a private key? – https://youtu.be/xxfUpIV9wRI
How do mneomonic seeds work? – https://youtu.be/wWCIQFNf_8g
Using paper wallets – https://youtu.be/cKehFazo8Pw
Wallet design and mass adoption – https://youtu.be/WbZX6BDZJHc
Cryptographic primitives – https://youtu.be/RIckQ6RBt5E
Public keys vs. addresses – https://youtu.be/8es3qQWkEiU
Re-using addresses – https://youtu.be/4A3urPFkx8g
Coin selection and privacy – https://youtu.be/3Ck683CQGAQ
Multi-signature and distributed storage – https://youtu.be/cAP2u6w_1-k
Nonces, mining, and quantum computing – https://youtu.be/d4xXJh677J0
Software distribution security – https://youtu.be/_V0vqy046YM
Protocol development security – https://youtu.be/4fsL5XWsTJ4
Geopolitics and state-sponsored attacks – https://youtu.be/htxPRTJLK-k
How to get people to care about security – https://youtu.be/Ji1lS9NMz1E
Honest nodes and consensus – https://youtu.be/KAhY2ymI-tg
Why running a node is important – https://youtu.be/oX0Yrv-6jVs

Andreas M. Antonopoulos is a technologist and serial entrepreneur who has become one of the most well-known and respected figures in bitcoin.

Follow on Twitter: @aantonop https://twitter.com/aantonop
Website: https://antonopoulos.com/

He is the author of two books: “Mastering Bitcoin,” published by O’Reilly Media and considered the best technical guide to bitcoin; “The Internet of Money,” a book about why bitcoin matters.

THE INTERNET OF MONEY, v1: https://www.amazon.co.uk/Internet-Money-collection-Andreas-Antonopoulos/dp/1537000454/ref=asap_bc?ie=UTF8

[NEW] THE INTERNET OF MONEY, v2: https://www.amazon.com/Internet-Money-Andreas-M-Antonopoulos/dp/194791006X/ref=asap_bc?ie=UTF8

MASTERING BITCOIN: https://www.amazon.co.uk/Mastering-Bitcoin-Unlocking-Digital-Cryptocurrencies/dp/1449374042

[NEW] MASTERING BITCOIN, 2nd Edition: https://www.amazon.com/Mastering-Bitcoin-Programming-Open-Blockchain/dp/1491954388

Translations of MASTERING BITCOIN: https://bitcoinbook.info/translations-of-mastering-bitcoin/

Subscribe to the channel to learn more about Bitcoin & open blockchains!

Music: “Unbounded” by Orfan (https://www.facebook.com/Orfan/)
Outro Graphics: Phneep (http://www.phneep.com/)
Outro Art: Rock Barcellos (http://www.rockincomics.com.br/)

source

42 COMMENTS

  1. I disagree with Andreas here. If the passphrase is cryptographically strong, i.e. 128 to 256 bits of entropy, then publishing the seed does not compromise the security. A 256 bits of entropy seed plus a 256 bits of entropy passphrase yields you a 512 bits of entropy. Giving up 256 bits (the seed) leaves you with 256 bits (the passphrase) and you're still good. In other words: A published 24-seed + 256 bits passphrase is equal to a 24-seed without a passphrase. Both have 256 bits of entropy.

    Ideally, one would use a 24-word-seed and a differently created 128+ bits passphrase (like a 12+ word diceware passphrase) and of course keep both secure and offline. The advantage is, should it turn out that the RNG of the hardware used was weak, you at least have the entropy of the passphrase, which is enough if it's 128+ bits.

    Also: @8:20
    128 bits of entropy is also unbruteforceable. In practical terms, there's no security difference between 256 and 128 bits of entropy, even less when key stretching is applied. Most wallets use a 12 word seed, which equals "only" 128 bits of entropy, anyway.

    Change my mind.

    PS: But that being said: don't fucking invent your own crypto.

  2. But half a seed representing 128 bits is still more than enough, isn't it?
    You just said, seeds are 12 to 24 words. So half of a 24 word should still be plenty secure?

    It's curious because at Honeybadger 2018 the Trezor dev said the same thing so you are probably correct. But why?

  3. Can you tell me lets say I keep my 24 word key secure and add a word for my passphrase. How secure would that second wallet be? Assuming they don't assume a 25th passphase and they dont have the 24 word seed?

  4. So does this mean that using the 12 word seed with the trezor model-t is significantly less secure than a Trezor one with a 24-word seed? The model-t only allows for generating a 12 word seed (via GUI) so it would seem trezor’s new product is bad purchase unless you have an existing 24-word seed you can input? If I have a ledger nano s should I just generate the seed on there and then input that into the trezor model-t or is that not advisable Incase ledger has an unknown vulnerability which would essentially make it like putting all your eggs in one basket?

  5. Hi Andreas, would it be safe to mix 6 random words (that you have memorized) into your 24 seed words, and then make it public (so you will never lose it)?

  6. It's ok, Andreas, I devised my own infallible scheme! I'll post my passphrase, and my mnemonic seed online, but I'll post each one with different account. The seed with jondoe07, and the passphrase with jondoe08. Then no one will be the wiser! ? ? ?

  7. My question would be if BIP39 is a standard isn't it subjected to the standardized attack vector. So a hacker only needs to break BIP39 and has the ablity to attack all wallets in existance.

LEAVE A REPLY

Please enter your comment!
Please enter your name here